Google patches “99%” Android bug, says it’s in OEM hands now

You may have heard about a pretty scary bug discovered by Bluebox Security that affects 99% of current Android devices. The gist of the exploit involves repackaging a signed application, say one that you’d download from Google Play, with malware, but the security payload itself would be identical to the original.

No Android devices have been affected as yet, and Samsung has already patched the issue in its Galaxy S4 flagship, but practically every other device, from Android 1.6 to 4.2.2, is vulnerable to the issue. Android Central’s Jerry Hildenbrand gives a great overview of the bug and how to prevent it from affecting your phone, though the gist is simple: don’t, under any circumstances, sideload software from outside Google Play. While software uploaded to Google Play has been found to contain malware before, it’s not possible to take advantage of this particular exploit when distributing through the official channels.

Google confirmed recently to ZDNet that it has patched the exploit and submitted the corresponding code to its manufacturer partners. Now all that’s left to do is get the OEMs such as Samsung, HTC et al. to schedule minor updates with their own carrier partners like Rogers, TELUS and Bell to fix the issue. That alone has been the bane of users’ existence for years, so it’s unlikely many older phones will ever see the aforementioned bug fix; newer devices will likely see it lumped into larger software rollouts.

OEMs should be legally allowed to forgo carrier testing when rolling out vital bug fixes like this – it’s a ridiculous procedure as it is to be honest, and for it to cause a massive delay in the roll out of a crucial security bug fix is absolutely absurd.

TomsDisqusted

Yes, but I doubt they would consider this one crucial since (a) it only potentially affects the tiny portion of users who side-load, and (b) it hasn’t actually affected anyone yet. (Don’t get me wrong – it is a serious bug.)

Igor Magun

Well yes, as usual the security of a phone is ultimately down to the user’s habits, but I still find it absurd that carrier testing has to get in the way of security fixes, let alone any other updates to the OS. I run “untested” operating systems on my phones all the time (leaked OS’ on my BlackBerry’s, Google’s own ROM’s on my Nexus 4), and not only has it not done me any harm, it often improves my experience with various bug fixes and new features.

I’m not a big fan of Apple products, but credit where credit’s due, I admire Apple for taking the opportunity to get carriers out of the picture for iOS updates. Google now does the same with the Nexus series. Now if only the rest of the OEM’s could afford to do so.

beyond

does it affect tablets? will they patch older tablets and phones? will I be safe? is the world going to end?

Henry

Yes

Rich

Honestly, if you have an Android device you can’t be too concerned with security to begin with.

Claude Poirier

Here we go again, let me guess you are the proud owner of a stupid proof Iphone or a totally useless WP8 phone or maybe a 1980ish smart blackberry?

Actually, I own an Android, believe it or not. I’m just not obsessed with it, or any other phone.

Let’s be honest, it’s easy to get malware onto the Play Store. The trending section is often riddled with apps that can will spam your notification bar, take phone numbers, and even text your friends on its own accord. There’s a reason why there are antivirus apps for Android and it’s scarce -> non-existent on every other platform.

Android is definitely top dog when it comes to customization + openness and that leads to a weakness when it comes to security. This becomes even worse if you root — although it becomes another balance of letting in the good and also potentially the bad.

Rick Gionfriddo

Well, in my experience, Norton is a crap AntiVirus anyway… I have seen that you get more from most free AV’s than you do from the likes of Norton and McAffee… Avast! and Comodo make great free security solutions for both Windows and Android, and in the case of Avast!, they also have great products for OS X and Linux as well. Both companies have a paid option with more features as well… Just saying… And, there are always the other paid AntiVirus softs, like ESET and Trend Micro, both of which are 1. better than Norton, and 2. available for Android, free of charge… I rest my case…

Henry

And if a person has no idea of what they’re doing when they switch off security options then they should have an iphone.

As much as people moan and complain about Blackberry you very well know they would never have allow this to happen

Blair Brydges

lol the bug is only exploitable on a device that the user has willingly disabled a security option.

beyond

yes because Blackberry is a special unique company that is run by perfect humans that make no errors

southerndinner

That’s because no one wants to hack BlackBerries, its users are boring

dyeyourcarpet

Blackberrys not popular enough as soon as it were to reach the popularity of IOS or Android it would be subject to the same exploits.BlackBerry didnt get the love it deserved I believe the Z10 was a great device Hardware wise but is anemic on the apps side.

Sean McConnell

When will this be rolled out to Nexus devices?

Ari Mukherjee

As much as I love my android, I love Apple’s release of software updates and their power over the carriers. I also wish stock android was pre-loaded on every phone and the OEM’s skin could be optional and it could be easily deleted just like any other app.

Brushrop03

OEM’s UI runs pretty deep in the core Android OS. It’s not just a launcher.

sicsicpuppy

What bug ? Me no worry

TomsDisqusted

Android has a feature that allows you to run side-loaded apps through Google’s anti-malware check before installing them. (I believe this is the ‘verify apps’ option in security settings.) I think the check done by this option is not as thorough as the check done on apps submitted to the app store, but perhaps that would catch malware trying to exploit this bug.

Jonathan G.

As great as this is for Google to send it out to other OEMs to implement, I would love to know when they will send it out to those that are using Nexus phones.

sicsicpuppy

it’s that loose 1% that got me my title : father

Yup I trust what Google always say

dyeyourcarpet

Google needs to have a way to flash updates via play such as security patches. The Blame game needs to stop Google needs to take action and allow other means to receive update that are not carrier specific or necsesarliy OTA, Also carriers should be penalized! not the user for negligence in updates. Carriers hide behind “void warranty” or “carrier testing” clause but do nothing to protect consumer in the event of know exploited device with known security issues.

Brushrop03

Yeah, that wouldn’t work. A security patch like this isn’t like an app. There is just too much of a difference in the underlying code for that to work. The manufacturers would have to implement this code.

dyeyourcarpet

my point exactly the infrastructure need to be re written. I dont even know why modern phones cant run native instead of VM.